Sweetening android lemon markets: measuring and combating malware in application marketplaces

Abstract

Application marketplaces are the main software distribution mechanism for modern mobile devices but are also emerging as a viable alternative to brick-and-mortar stores for personal computers. While most application marketplaces require applications to be cryptographically signed by their developers, in Android marketplaces, self-signed certificates are common, thereby offering very limited authentication properties. As a result, there have been reports of malware being distributed through application "repackaging". We provide a quantitative assessment of this phenomenon by collecting 41,057 applications from 194 alternative Android application markets in October 2011, in addition to a sample of 35,423 applications from the official Android market, Google Play. We observe that certain alternative markets almost exclusively distribute repackaged applications containing malware. To remedy this situation we propose a simple verification protocol, and discuss a proof-of-concept implementation, AppIntegrity. AppIntegrity strengthens the authentication properties offered in application marketplaces, thereby making it more difficult for miscreants to repackage apps, while presenting very little computational or communication overhead, and being deployable without requiring significant changes to the Android platform.